@scottalanmiller said in What's the status on DMARC?:

@JaredBusch said in What's the status on DMARC?:

That image is a stander O365 box that only takes a few clicks to setup. How have you not seen that?

Very few customers using O365 and none using that feature, I'd imagine. How does it display to people not on O365?

We see something else from all kinds of users all different systems all over.

A lot of SPam Filtering systems do have that option as well. A lot of medical and financial businesses enable this.

@Grey said in Private DNS architecture?:

@Pete-S said in Private DNS architecture?:

@Grey said in Private DNS architecture?:

This all sounds very complicated. Why not use the DNS and DHCP at your datacenter and turn off all the others, and then give the routers an ip helper address config? Does your network hardware not support that?

@Grey It may very well be too complicated. At the same time it has to be fast, robust and the parts have to be able to work independently if a VPN link goes down.

Ok, cut the line to the internet. Can they still function? What doesn't work? What gets cached at your app server? How much data is transferred when the line returns?
How much actual resilience does the business need vs what they can sustain, and what's the risk? Has anyone answered these questions before?

The diagram is a simplified. It's only internal company traffic that goes over the VPN in the drawing. The data centers also serves other clients that are not connected over VPN. That actually their primary job - they are serving customers, not just internal workloads.

When it comes to resilience and risk, it's the data centers that have to be up and running. So they have redundant everything. The rest is just ordinary SMB stuff.

PS. Also in the data center we are doing HA in the application layer and not the hypervisor layer. So having two DNS servers made sense to me since that will be natural HA in the application layer.

@Pete-S said in Does intra-VM traffic leave the host?:

@scottalanmiller said in Does intra-VM traffic leave the host?:

What's the use case here? Maybe there is another approach that would be effective?

Mostly isolate and allow some well know traffic on appliance type VMs and VMs that we don't admin - without having to put each workload in it's own subnet.

Hmmm... I see why you might want it.

I don't really use them. I have 3 monitors though. they have been around forever it seems but limited use for me. I do it occasionally but not really out of necessity.

I find it to not be of concern. I would never have it happen, because it's a bizarre and problematic way to handle internal DNS. But anyone who can exploit private IP mapping can figure it out without DNS in the first place. So I see no reason to want to hide it.

@Pete-S said in Zoho spam settings?:

Thanks Scott. That makes sense.

We're using imap clients so maybe that will exacerbate the problem since it will probably not learn what is spam and what isn't.

Oh yeah. We don't use IMAP so the training is quick and direct.

@Pete-S said in Can Cloudflare handle country-code TLDs?:

Can Cloudflare be a registrar for country-code TLDs such as it, eu, de, uk?

If it can, it can't do all. We have ones like .co and .it and they cannot be handled.

What about archiving instead of backup? MailStore is good

@Pete-S said in What subdomain for web conference/meetings?:

Thanks!

meet.example.com looks more generic so I'll use that.

I agree. Seems potentially less confusing for users.

@JaredBusch said in Distro for school work?:

@Pete-S said in Distro for school work?:

Installed minecraft as well and it was really easy.

Just click on the link to the deb package and you're done. Apt package manager will pull in java and whatever else that is needed.
https://launcher.mojang.com/download/Minecraft.deb

Webcam works, tested it with cheese, which is installed by default.

All in all a smooth experience and mission accomplished.

If Roblox worked on Linux I could switch my kids. Those are the only two PC games they play at the moment.

Same

@DustinB3403 said in Virtual team ideas?:

Time sensitivity is important, people have a hard time showing up on time for a meeting physically. Making people wait with a headset on is just additional irritation that they won't take well.

I personally always show up early 1-5 minutes for a meeting. If I had to wait an additional 15 I'd be using collage rules and counting my attendance as there even if the host isn't.

I think putting a headset on is easier than going to room a people honestly.

@stacksofplates said in RDP to RDP to RDP?:

@Pete-S said in RDP to RDP to RDP?:

@Obsolesce said in RDP to RDP to RDP?:

@Pete-S said in RDP to RDP to RDP?:

Purdue Model

Except that model is basically dead...

https://dale-peterson.com/2019/02/11/is-the-purdue-model-dead/

No, not at all. You have to listen to the whole thing if you are going to draw any conclusions. Can't just google and use the headline 🙂

It really is. It’s overly complex and has much less return on investment and security than something like the zero trust model.

I'm not an ICS infosec expert. I just know what enterprises that have big plants in the oil & gas, pulp & paper, chemical industry have and what they have is what I said they have. And if I look at Homeland Security, NIST etc what they have as best practice is what the customers are doing. Will it change in the future? Sure, everything does.

I use this 61 watt apple charger for all my USB-C charging needs.

It even works for my P1, but only slow charges that, but as you can see, USC-C dishes out high voltage and at 3 amps, as well as lower voltage for phones.

20200317_073732.jpg

https://venturebeat.com/2016/07/13/skype-announces-new-webrtc-alpha-version-for-linux-chromebook-users-can-now-make-voice-calls/

Did they kill it off, maybe?

@Pete-S said in sftp without ssh shell access?:

Thanks guys.

To summarize the link above, it's these lines in sshd_config that does the magic.

Match User sftpuser ForceCommand internal-sftp <snip>

The first line will tell sshd what user(s) the rest of the settings apply to.
The second line tells it to go straight into sftp mode. So this will only apply to the users that match the rule above.

Just make sure to test SSH after you do the changes ok a new session otherwise you might just have broken SSH access.

@Pete-S said in Opinions on POS/label printers?:

@Dashrender said in Opinions on POS/label printers?:

@Pete-S said in Opinions on POS/label printers?:

@scottalanmiller said in Opinions on POS/label printers?:

Any reason not to look Dymo? We like them a lot.

Does Dymo make standard thermal transfer printers? I thought they only made printers that would print on their own media.

What does this mean? I have Dymos all over, we buy non Dymo branded labels from Amazon and they work fine. Is there something special about that type of label though?

What I meant was that Dymo makes printers that takes Dymo labels. Sure other might make compatible labels but that is not what Dymo had in mind. Dymo sells their printers because they want you to buy their labels (which is where they make money).

Zebra and others on the other hand makes generic printers that take standard size media - just like an office printer takes "letter" size paper.

OK I getcha... like Keurig tried to pull with scanning a barcode on coffee pods - total fail! People will do damned near anything to override your lock-in when possible.

Also another thing is that XCP-ng it is finally able to support UEFI boot which was nice.

@scottalanmiller
Thanks for the clarification

@Pete-S said in How does name resolution work in AD?:

@Dashrender said in How does name resolution work in AD?:

@scottalanmiller said in How does name resolution work in AD?:

@Pete-S said in How does name resolution work in AD?:

I was wondering how it works because we see a problem where a couple of Win 10 clients can resolve all the internal Windows servers names, but not the statically assigned names of linux servers.

I thought if the name resolution works over different mechanisms and uses different ports it could be an firewall or L3 switch somewhere that has been misconfigured.

This is common in situations where Linux is not given an opportunity to auto-update the DNS entries, no one makes them manually, and they are not joined to AD.

Exactly - have you or anyone else added these servers to AD's DNS?

They have been added manually. The name of the service is also not the name as the server. So if a webserver is abc001.company.com the name in the DNS that will send you to that server might be logistics.company.com.

if you're being sent to logistics, that's the entry that must be in DNS.. you can have as many entries as are needed for a single server.
each name is it's own entry.